Reply
New Member
Posts: 41
Registered: ‎12-14-2015
Kudos: 1

Why is there a lots of IPSEC Tunnels..

[ Edited ]

I have 1 Ipsec tunnel configured between an Edgerouter 4 and PFSense.

 

The output on the Edgerouter for command

show vpn ipsec status

shows this output:

 

IPSec Process Running PID: 1752

14 Active IPsec Tunnels

IPsec Interfaces :

Why is there 14 IPsec tunnels?

Established Member
Posts: 1,486
Registered: ‎07-07-2014
Kudos: 324
Solutions: 99

Re: Why is there a lots of IPSEC Tunnels..


@kallabaz wrote:

I have 1 Ipsec tunnel configured between an Edgerouter 4 and PFSense.

 

The output on the Edgerouter for command

show vpn ipsec status

shows this output:

 

IPSec Process Running PID: 1752

14 Active IPsec Tunnels

IPsec Interfaces :

Why is there 14 IPsec tunnels?


You have one site-to-site peer, but how many tunnels?  Each subnet is a separate tunnel, you must have 14 subnets?

 

For example, I have one peer here, but two tunnels (two remote subnets):

 

            peer 1.2.3.4 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret secret
                }
                connection-type initiate
                description ""
                ike-group FOO2
                ikev2-reauth inherit
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO2
                    local {
                        prefix 10.0.33.1/24
                    }
                    remote {
                        prefix 192.168.254.1/24
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO2
                    local {
                        prefix 10.0.33.1/24
                    }
                    remote {
                        prefix 10.22.1.1/24
                    }
                }
New Member
Posts: 41
Registered: ‎12-14-2015
Kudos: 1

Re: Why is there a lots of IPSEC Tunnels..

No. 1 peer, 1 tunnel, 1 subnet.

Established Member
Posts: 1,486
Registered: ‎07-07-2014
Kudos: 324
Solutions: 99

Re: Why is there a lots of IPSEC Tunnels..


@kallabaz wrote:

No. 1 peer, 1 tunnel, 1 subnet.


Odd!

 

What's the output of

 

show vpn ipsec sa
Veteran Member
Posts: 7,600
Registered: ‎03-24-2016
Kudos: 1977
Solutions: 871

Re: Why is there a lots of IPSEC Tunnels..

You have one peer, 2 tunnels.  Each tunnel takes 2 SAs, so that makes 8.

New SA's are created before old ones time-out, so 14 still makes (some) sense

Regular Member
Posts: 627
Registered: ‎01-06-2017
Kudos: 139
Solutions: 53

Re: Why is there a lots of IPSEC Tunnels..

 

I had a similar problem 2 years ago where none of the child SAs were deleting.  There was a line in /etc/ipsec.conf that read "rekey=no"  Commenting that out solved the issue back then.

 

I'd make sure you are using the latest firmware on the router.  I would also enable dead peer detection and make sure all the lifetime parameters are the same on both sides.

New Member
Posts: 41
Registered: ‎12-14-2015
Kudos: 1

Re: Why is there a lots of IPSEC Tunnels..

16again:

No I have 1 peer 1 tunnel.

 

stshaw:

Thanks for advice. Anything else is affected by commenting it out?

 

jms33:

Here's the output.

X.X.X.X = Peer

Y.Y.Y.Y = Local subnet

Z.Z.Z.Z = Remote subnet

 

peer-X.X.X.X-tunnel-1: #116, ESTABLISHED, IKEv2, 8e357fc30c4e820b:a9eebefc0af11689
  local  'secpefw033' @ 212.247.91.102
  remote 'X.X.X.X' @ X.X.X.X
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 9336s ago, rekeying in 18415s, reauth in 17933s
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1680 ago, rekeying in 917s, expires in 1920s
    in  cc92dab9,   3259 bytes,    27 packets,     6s ago
    out cc038f3c,   3785 bytes,    27 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1632 ago, rekeying in 1118s, expires in 1969s
    in  cbd91958,   4282 bytes,    30 packets,     6s ago
    out c78839e0,   6487 bytes,    30 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1571 ago, rekeying in 1037s, expires in 2030s
    in  c3f9e4b3,    609 bytes,    11 packets,     6s ago
    out cc074946,    813 bytes,    11 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1533 ago, rekeying in 1186s, expires in 2068s
    in  c55cfbce,      0 bytes,     0 packets
    out c639a2aa,      0 bytes,     0 packets
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1528 ago, rekeying in 1091s, expires in 2072s
    in  c8dad3f5,   4950 bytes,    36 packets,     6s ago
    out c906da55,   6852 bytes,    36 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1464 ago, rekeying in 1097s, expires in 2136s
    in  c5d3d0ff,      0 bytes,     0 packets
    out c49fdbf9,      0 bytes,     0 packets
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1461 ago, rekeying in 1315s, expires in 2139s
    in  cdeeab4b,    755 bytes,    10 packets,     6s ago
    out c82bb215,   1321 bytes,    10 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1432 ago, rekeying in 1286s, expires in 2168s
    in  c5cb3716,   2644 bytes,    12 packets,     6s ago
    out c341bc80,   4348 bytes,    12 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1412 ago, rekeying in 1192s, expires in 2188s
    in  c4e7f3d8,   1727 bytes,    20 packets,     6s ago
    out c88cd0fb,   2073 bytes,    20 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1358 ago, rekeying in 1452s, expires in 2242s
    in  cce2e8f8,    133 bytes,     1 packets,     6s ago
    out c674eabd,    316 bytes,     1 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
  peer-X.X.X.X-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1352 ago, rekeying in 1329s, expires in 2249s
    in  c983baad, 1215508 bytes,  6399 packets,     6s ago
    out cc25e7a9, 1334022 bytes,  6776 packets,     6s ago
    local  Y.Y.Y.Y/25
    remote Z.Z.Z.Z/24
Established Member
Posts: 1,486
Registered: ‎07-07-2014
Kudos: 324
Solutions: 99

Re: Why is there a lots of IPSEC Tunnels..

Hi @kallabaz ,

 

That's unusual! I assume in your redacted config that "X.X.X.X" is always the same address, just like Y.Y.Y.Y and Z.Z.Z.Z?

 

What firmware are you using? 1.10.8 is recommended as the latest stable release, if you are not already running that, I'd highly recommend upgrading, and the other tips that @stshaw recommended to you: "I would also enable dead peer detection and make sure all the lifetime parameters are the same on both sides."

Regular Member
Posts: 627
Registered: ‎01-06-2017
Kudos: 139
Solutions: 53

Re: Why is there a lots of IPSEC Tunnels..

 

@kallabazI didn't see any adverse effects from commenting out that line.  It might not even be present in your config though.

 

It looks like you are using ikev2.  If that's the case, then you can disregard my comment about enabling dead peer detection.  ikev2 has its own mechanism for this.  I found that if I kept DPD enabled on Edgerouter and used ikev2, the tunnels would come up initially, but would die after a few hours.

 

 

New Member
Posts: 41
Registered: ‎12-14-2015
Kudos: 1

Re: Why is there a lots of IPSEC Tunnels..

Yes. X.X.X.X is the same adress in the whole config and so on.
The Edgerouter is on dynamic IP and PFsense on a Public IP.

1.10.8 is the firmware we use.

jms33 prefer DPD and stshaw doesn't?
Established Member
Posts: 1,486
Registered: ‎07-07-2014
Kudos: 324
Solutions: 99

Re: Why is there a lots of IPSEC Tunnels..


@kallabaz wrote:
Yes. X.X.X.X is the same adress in the whole config and so on.
The Edgerouter is on dynamic IP and PFsense on a Public IP.

1.10.8 is the firmware we use.

jms33 prefer DPD and stshaw doesn't?

It's not a matter of preference, it's what works best for you. 

Member
Posts: 149
Registered: ‎02-28-2016
Kudos: 23
Solutions: 7

Re: Why is there a lots of IPSEC Tunnels..

Hmm... this is interesting... because... I have a the same issue as you....

 

I am using GRE-IPSEC-OSPF with 2 hubs and the output I have is for the below.

 

:~$ show vpn ipsec status
IPSec Process Running PID: 17549

8 Active IPsec Tunnels

 

my settings are perfectly the same from the hub to the spokes (mirror images), not sure what to think of this either, It doesn't appear to be effecting performance though from what anyone can notice?

Member
Posts: 149
Registered: ‎02-28-2016
Kudos: 23
Solutions: 7

Re: Why is there a lots of IPSEC Tunnels..

removing the dead peer detection part of the configuration solved the problem for me.  it would appear that ikev2 does define it's own mechanisms for this feature and manually defining it is unnecessary and even detrimental.

 

Thanks

Highlighted
Regular Member
Posts: 627
Registered: ‎01-06-2017
Kudos: 139
Solutions: 53

Re: Why is there a lots of IPSEC Tunnels..

 


@XanALaOM00 wrote:

removing the dead peer detection part of the configuration solved the problem for me.  it would appear that ikev2 does define it's own mechanisms for this feature and manually defining it is unnecessary and even detrimental.

 

Thanks


Thanks for reporting your finding.  This is what I experienced also.

Reply